Real world security check – A pension fund tests its defenses

Stephan, could you briefly explain the roles of the Ambassador Stiftung and VM-F

The Ambassador Stiftung is a collective pension foundation. Operational management – from IT infrastructure and professional staff to day-to-day administration – is handled by VM-F, which I own and lead. We ensure that the foundation operates professionally. And for us, it was clear: when it comes to cybersecurity, we must act proactively – especially because we share responsibility for the security of the systems.

Why is cybersecurity particularly relevant for the Ambassador Stiftung?

The consequences of a cyberattack on a pension fund are very different from those on an industrial company: it's not about production downtime, but about protecting highly sensitive data. Salary information, social security numbers, divorce agreements, capital withdrawals – even accident or medical records: if such data were to fall into the wrong hands or end up on the dark web, the damage to our beneficiaries would be immense. We take this responsibility very seriously.

How did you come across GObugfree?

Through our cybercrime insurance with Helvetia. Our contact there recommended working with GObugfree as a practical way to test our infrastructure. I followed up, made contact, and initiated the bug test – specifically for the systems of the Ambassador Stiftung.

You work with an external IT provider – how did they respond to the planned bug test?

Very professionally and constructively. I’ve heard of cases where IT partners become defensive or try to downplay results when external tests are conducted. Ours was different: our provider was interested, open, and eager to learn. That signaled that this was about collaborative improvement, not finger-pointing. For me, that was a key factor in the test’s success.

What did you gain from the bug test?

First and foremost: certainty. We wanted to know whether we were truly as secure as we believed – or whether there were vulnerabilities we had missed. The test confirmed that we’re doing a lot of things right, but it also showed areas where we can sharpen our setup. We addressed those findings directly with our IT provider.

How was your experience working with GObugfree?

Very positive. The process was transparent, easy to plan, and we received professional support – from preparation to the debrief with the board of trustees. What I particularly appreciated was that the communication was clear and accessible, even for non-technical people. The final report was well-structured and helped us convey the findings internally. That increased buy-in and showed: cybersecurity isn’t just an IT issue – it affects the entire organization.

Apart from the bug test, how do you approach cybersecurity more broadly?

We rely on a combination of technical and organizational measures: staff training, clear login rules, two-factor authentication, documented backup processes, and regular restoration tests. We also focus on emergency planning – we’ve thought through critical scenarios and defined processes so that everyone knows what to do if something happens. For us, a healthy security culture means that questions are welcome – better to ask one time too many than to take a risk.

What would you recommend to others considering a bug test?

Don’t hesitate. Don’t fall into a false sense of security – not even if you have insurance or a good gut feeling. For us, the bug test wasn’t a control mechanism – it was a chance to improve. And it sends a strong message to our clients: we test what we do – and improve what we can.